#!/bin/sh

. STlsVars

# this file contains tests common to both tls and dtls usages

TLSDIR=$SNMP_TMPDIR/tls

#########################################
# Create the certificates

# create the ca
CAPTURE $NSCERT genca --cn ca-net-snmp.org  $NSCERTARGS

# snmpd
HOSTNAME=`hostname`
CAPTURE $NSCERT gencert --with-ca ca-net-snmp.org -t snmpd --cn $HOSTNAME $NSCERTARGS
SERVERFP=`$NSCERT showcerts --fingerprint --brief snmpd  $NSCERTARGS`
CHECKVALUEISNT "$SERVERFP" "" "generated fingerprint for snmpd certificate"

# user
CAPTURE $NSCERT gencert --with-ca ca-net-snmp.org -t snmpapp --cn 'testuser'  $NSCERTARGS
TESTUSERFP=`$NSCERT showcerts --fingerprint --brief snmpapp $NSCERTARGS`
CHECKVALUEISNT "$TESTUSERFP" "" "generated fingerprint for testuser certificate"

# user2
CAPTURE $NSCERT gencert --with-ca ca-net-snmp.org -t snmpapp2 --cn 'testuser2'  $NSCERTARGS
TESTUSER2FP=`$NSCERT showcerts --fingerprint --brief snmpapp2 $NSCERTARGS`
CHECKVALUEISNT "$TESTUSER2FP" "" "generated fingerprint for testuser2 certificate"

########################################
# Configure the .conf files

CONFIGAPP peerCert		  $SERVERFP

# common name mappings
CONFIGAGENT certSecName 9  $TESTUSERFP     --cn
CONFIGAGENT certSecName 10  $TESTUSER2FP     --cn
CONFIGAGENT  rwuser -s tsm testuser authpriv
CONFIGAGENT  rwuser -s tsm testuser2 authpriv

CRLFILE=$SNMP_TMPDIR/crlfile.pem

# configure the CRL locations
CONFIGAGENT '[snmp]' x509crlfile $CRLFILE
CONFIGAPP   '[snmp]' x509crlfile $CRLFILE

CRLCACMD="env DIR=$TLSDIR CN=ca-net-snp.org openssl ca"
CRLARGS="-config $TLSDIR/.openssl.conf -keyfile $TLSDIR/private/ca-net-snmp.org.key -cert $TLSDIR/ca-certs/ca-net-snmp.org.crt"

# generate the initial CRL
touch $TLSDIR/.index
echo "01" > $TLSDIR/.crlnumber
CAPTURE "$CRLCACMD -gencrl $CRLARGS -out $CRLFILE"

#
# put the second client into the CRL and it shouldn't work
#
CAPTURE "$CRLCACMD -revoke $TLSDIR/certs/snmpapp2.crt $CRLARGS -out $CRLFILE"
CAPTURE "$CRLCACMD -gencrl $CRLARGS -out $CRLFILE"


######################################################################
# Run the actual list of tests
#

# app flags
FLAGS="-Dtls -v3 -r1 -On $SNMP_FLAGS $SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT"

# start the agent up
AGENT_FLAGS="-Dtls"
STARTAGENT

# using user 1 - a common name mapped certificate
# (using the default "snmpapp" certificate because we don't specify another)
CAPTURE "snmpget -Dssl $FLAGS .1.3.6.1.2.1.1.3.0"

CHECK       ".1.3.6.1.2.1.1.3.0 = Timeticks:"

# using user 2 should now fail
CAPTURE "snmpget -T our_identity=snmpapp2 -Dssl $FLAGS .1.3.6.1.2.1.1.3.0"

CHECKCOUNT  0 ".1.3.6.1.2.1.1.3.0 = Timeticks:"
CHECKAGENT  "certificate revoked"

#
# now put the server's cert into the client crl file
#
CAPTURE "$CRLCACMD -revoke $TLSDIR/certs/snmpd.crt $CRLARGS"
CAPTURE "$CRLCACMD -gencrl $CRLARGS -out $CRLFILE"

# user 1 should now fail on the client side
CAPTURE "snmpget -Dssl $FLAGS .1.3.6.1.2.1.1.3.0"

CHECK       "certificate revoked"

# cleanup
STOPAGENT

FINISHED
